CVE-2026-47428
vitest-dev · vitest
A cross-site scripting vulnerability in Vitest Browser Mode allows attackers to inject malicious JavaScript and steal sensitive API tokens via crafted URLs.
Executive summary
A critical cross-site scripting vulnerability in Vitest Browser Mode allows attackers to execute arbitrary code and exfiltrate authentication tokens.
Vulnerability
The browser runner improperly handles the otelCarrier query parameter, which is injected directly into an inline script. This allows an unauthenticated attacker to execute arbitrary JavaScript in the context of the Vitest server origin.
Business impact
With a CVSS score of 9.6, this vulnerability poses a severe threat, as it enables the theft of the VITEST_API_TOKEN. Compromise of this token may grant an attacker the ability to perform authenticated actions against the Vitest API, leading to further unauthorized access or manipulation of testing environments.
Remediation
Immediate Action: Update the vitest package to version 4.1.6, 5.0.0-beta.3, or later.
Proactive Monitoring: Monitor access logs for anomalous browser-runner URL requests containing unexpected query parameters or script-like characters.
Compensating Controls: Utilize a Content Security Policy (CSP) to restrict script execution and prevent the loading of malicious resources in the browser environment.
Exploitation status
Public Exploit Available: No
Analyst recommendation
This vulnerability presents a significant risk to the integrity of the development environment. Administrators must ensure all Vitest installations are updated to the fixed versions to prevent potential token theft and cross-site scripting attacks.